2

How do I verify if I have secured end to end encryption on my AWS FARGATE container? Have mentioned the approach below :

Application Load balancer listening on 443. Uses a certificate from AWS Certificate Manager. Target group's protocol is HTTPS on port 8443. The health check protocol is HTTPS too. Spring boot application's docker image running on the container, host/container port is 8443. Have the same certificate in the classpath of the application in a PKCS12 file (has the certificate and private key in it). Docker image's and application's port is 8443.

It says a secure connection when I hit the application URL. I understand SSL offloading happens at the load balancer level in ALB. But does the above approach mean an end to end encryption has been achieved? And how do I verify that?

LiavReuven
  • 109
  • 3
yaja6021
  • 141
  • 2
  • 16

1 Answers1

6

I understand SSL offloading happens at the load balancer level in ALB

SSL offloading is an option with an ALB, if you have target groups using HTTP protocol instead of HTTPS. Offloading implies you're terminating SSL at the load balancer, then using http between the ALB and the target, which isn't what's happening for you.

But does the above approach mean an end to end encryption has been achieved?

If you're using an HTTPS target group, like you are doing, you ought to have end to end encryption. You've got the right idea to verify though, so you can be sure.

And how do I verify that?

You can ensure the traffic to your ALB is using SSL by enabling access logs. You're also seeing SSL in your browser.

You can test the targets are receiving SSL traffic by running something like tcpdump or ssldump (or both!) on your target web server.

bluescores
  • 4,437
  • 1
  • 20
  • 34
  • Hey thanks a lot! Is there any tutorial on how to run tcpdump/windump for AWS ECS Target group? Any pointers would be much appreciated. – yaja6021 Aug 16 '18 at 10:57
  • iirc you can run `tcpdump` in your container something like `tcpdump -A -i port 8443 -w log.pcap` to capture packet information for traffic on port 8443 to a file. If you look at that file, you'll see the packets are gibberish, encrypted. You can then use `ssldump` with the -r flag to load the pcap file and decrypt those packets. I'm on mobile at the moment, I'm not able to provide a more complete example from memory, but that's the gist of how I have verified this in the past. – bluescores Aug 16 '18 at 14:21